* [pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation
@ 2025-07-04 18:23 Daniel Kral
2025-07-04 18:23 ` [pve-devel] [RFC container v2 2/3] setup: base: remove existing ssh host keys Daniel Kral
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Daniel Kral @ 2025-07-04 18:23 UTC (permalink / raw)
To: pve-devel
OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
is the base version that will be shipped for Debian 13 trixie. Since it
has been marked deprecated for some time and generating DSA signatures
with OpenSSH 10.0 will fail, remove it.
[0] https://www.openssh.com/txt/release-10.0
[1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html
Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
src/PVE/LXC/Setup/Base.pm | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index 6bdfb8d..dbfc775 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -646,7 +646,6 @@ sub ssh_host_key_types_to_generate {
return {
rsa => 'ssh_host_rsa_key',
- dsa => 'ssh_host_dsa_key',
ecdsa => 'ssh_host_ecdsa_key',
ed25519 => 'ssh_host_ed25519_key',
};
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [RFC container v2 2/3] setup: base: remove existing ssh host keys
2025-07-04 18:23 [pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation Daniel Kral
@ 2025-07-04 18:23 ` Daniel Kral
2025-07-17 0:27 ` Thomas Lamprecht
2025-07-04 18:23 ` [pve-devel] [RFC container v2 3/3] setup: skip rewriting ignored " Daniel Kral
2025-07-16 11:36 ` [pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation Lukas Wagner
2 siblings, 1 reply; 6+ messages in thread
From: Daniel Kral @ 2025-07-04 18:23 UTC (permalink / raw)
To: pve-devel
Remove existing SSH host keys after container creation to prevent
multiple containers sharing the same SSH host keys, especially those
which are not overwritten/generated by rewrite_ssh_host_keys() later.
This is called in the Base's post_create_hook(...) to prevent unwanted
removal for certain types of containers, e.g., unmanaged containers.
Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
Because of the HA Rules stuff, I unfortunately didn't get the time to
properly test these with any container images, but wanted to send them
anyway.
src/PVE/LXC/Setup/Base.pm | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index dbfc775..ea6f598 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -466,6 +466,30 @@ sub set_user_password {
}
}
+sub remove_existing_ssh_host_keys {
+ my ($self) = @_;
+
+ my $ssh_rootdir = "$self->{rootdir}/etc/ssh";
+
+ return if !-d $ssh_rootdir;
+
+ PVE::Tools::dir_glob_foreach(
+ $ssh_rootdir,
+ qr/ssh_host_.*/,
+ sub {
+ my ($key_filename) = @_;
+
+ next if $self->ct_is_file_ignored($key_filename);
+
+ print "Remove existing ssh host key '$key_filename' ...\n";
+
+ $self->protected_call(sub {
+ $self->ct_unlink($key_filename);
+ });
+ },
+ );
+}
+
my $parse_home_dir = sub {
my ($self, $passwdfile, $user) = @_;
@@ -687,6 +711,7 @@ sub post_create_hook {
&$randomize_crontab($self, $conf);
$self->set_user_password($conf, 'root', $root_password);
+ $self->remove_existing_ssh_host_keys();
$self->set_user_authorized_ssh_keys($conf, 'root', $ssh_keys) if $ssh_keys;
$self->setup_init($conf);
$self->setup_network($conf);
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [RFC container v2 3/3] setup: skip rewriting ignored ssh host keys
2025-07-04 18:23 [pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation Daniel Kral
2025-07-04 18:23 ` [pve-devel] [RFC container v2 2/3] setup: base: remove existing ssh host keys Daniel Kral
@ 2025-07-04 18:23 ` Daniel Kral
2025-07-16 11:36 ` [pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation Lukas Wagner
2 siblings, 0 replies; 6+ messages in thread
From: Daniel Kral @ 2025-07-04 18:23 UTC (permalink / raw)
To: pve-devel
Skip rewriting any SSH host keys that are actively marked as ignored by
the container template.
This is done for consistency with remove_existing_ssh_host_keys(), which
skips removing any ignored SSH host keys as well.
Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
Because of the HA Rules stuff, I unfortunately didn't get the time to
properly test these with any container images, but wanted to send them
anyway.
src/PVE/LXC/Setup.pm | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
index 02aefc6..db5d181 100644
--- a/src/PVE/LXC/Setup.pm
+++ b/src/PVE/LXC/Setup.pm
@@ -276,12 +276,22 @@ sub rewrite_ssh_host_keys {
my $keyfiles = [];
for my $keytype (keys $keynames->%*) {
my $basename = $keynames->{$keytype};
+ my $private_basename = "/etc/ssh/$basename";
+ my $public_basename = "/etc/ssh/$basename.pub";
+
+ if (
+ $self->ct_is_file_ignored($private_basename)
+ || $self->ct_is_file_ignored($public_basename)
+ ) {
+ print "Skip generating SSH host key '$basename', because it is ignored.\n";
+ next;
+ }
+
print "Creating SSH host key '$basename' - this may take some time ...\n";
my ($id, $private, $public) = generate_ssh_key($keytype, "root\@$hostname");
print "done: $id\n";
- push $keyfiles->@*, ["/etc/ssh/$basename", $private, 0600],
- ["/etc/ssh/$basename.pub", $public, 0644];
+ push $keyfiles->@*, [$private_basename, $private, 0600], [$public_basename, $public, 0644];
}
$self->protected_call(sub { # write them now all to the CTs rootfs at once
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation
2025-07-04 18:23 [pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation Daniel Kral
2025-07-04 18:23 ` [pve-devel] [RFC container v2 2/3] setup: base: remove existing ssh host keys Daniel Kral
2025-07-04 18:23 ` [pve-devel] [RFC container v2 3/3] setup: skip rewriting ignored " Daniel Kral
@ 2025-07-16 11:36 ` Lukas Wagner
2025-07-16 12:07 ` Lukas Wagner
2 siblings, 1 reply; 6+ messages in thread
From: Lukas Wagner @ 2025-07-16 11:36 UTC (permalink / raw)
To: Proxmox VE development discussion, Daniel Kral
On 2025-07-04 20:23, Daniel Kral wrote:
> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
> is the base version that will be shipped for Debian 13 trixie. Since it
> has been marked deprecated for some time and generating DSA signatures
> with OpenSSH 10.0 will fail, remove it.
>
> [0] https://www.openssh.com/txt/release-10.0
> [1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html
>
> Signed-off-by: Daniel Kral <d.kral@proxmox.com>
Creating a Debian 12 container on PVE 9 does not work at the moment due this error during container creation:
Creating SSH host key 'ssh_host_dsa_key' - this may take some time ... unknown key type dsa
I can confirm that this patch makes it work again, so consider this:
Tested-by: Lukas Wagner <l.wagner@proxmox.com>
--
- Lukas
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation
2025-07-16 11:36 ` [pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation Lukas Wagner
@ 2025-07-16 12:07 ` Lukas Wagner
0 siblings, 0 replies; 6+ messages in thread
From: Lukas Wagner @ 2025-07-16 12:07 UTC (permalink / raw)
To: Proxmox VE development discussion, Daniel Kral
On 2025-07-16 13:36, Lukas Wagner wrote:
>
>
> On 2025-07-04 20:23, Daniel Kral wrote:
>> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
>> is the base version that will be shipped for Debian 13 trixie. Since it
>> has been marked deprecated for some time and generating DSA signatures
>> with OpenSSH 10.0 will fail, remove it.
>>
>> [0] https://www.openssh.com/txt/release-10.0
>> [1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html
>>
>> Signed-off-by: Daniel Kral <d.kral@proxmox.com>
>
>
> Creating a Debian 12 container on PVE 9 does not work at the moment due this error during container creation:
>
> Creating SSH host key 'ssh_host_dsa_key' - this may take some time ... unknown key type dsa
>
> I can confirm that this patch makes it work again, so consider this:
>
> Tested-by: Lukas Wagner <l.wagner@proxmox.com>
>
Meh, was tricked by Thunderbird's search function and didn't see the other two patches of this series.
The T-b only applies for the first patch for now...
--
- Lukas
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [RFC container v2 2/3] setup: base: remove existing ssh host keys
2025-07-04 18:23 ` [pve-devel] [RFC container v2 2/3] setup: base: remove existing ssh host keys Daniel Kral
@ 2025-07-17 0:27 ` Thomas Lamprecht
0 siblings, 0 replies; 6+ messages in thread
From: Thomas Lamprecht @ 2025-07-17 0:27 UTC (permalink / raw)
To: Proxmox VE development discussion, Daniel Kral
Am 04.07.25 um 20:23 schrieb Daniel Kral:
> Remove existing SSH host keys after container creation to prevent
> multiple containers sharing the same SSH host keys, especially those
> which are not overwritten/generated by rewrite_ssh_host_keys() later.
>
> This is called in the Base's post_create_hook(...) to prevent unwanted
> removal for certain types of containers, e.g., unmanaged containers.
>
Does this also remove host keys on backup restore? If, this is probably
a bit to intrusive. For clone/restore we might couple it with the "unique"
flag, just as an (not so thought out) idea.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-07-17 0:26 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-04 18:23 [pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation Daniel Kral
2025-07-04 18:23 ` [pve-devel] [RFC container v2 2/3] setup: base: remove existing ssh host keys Daniel Kral
2025-07-17 0:27 ` Thomas Lamprecht
2025-07-04 18:23 ` [pve-devel] [RFC container v2 3/3] setup: skip rewriting ignored " Daniel Kral
2025-07-16 11:36 ` [pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation Lukas Wagner
2025-07-16 12:07 ` Lukas Wagner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.